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Abstract 



A proof is concurrent zero-knowledge if it remains zero-knowledge when many copies of the 
proof are run in an asynchronous environment, such as the Internet. It is known that zero- 
knowledge is not necessarily preserved in such an environment p4[ |29J , H . Designing concurrent 
zero-knowledge proofs is a fundamental issue in the study of zero-knowledge since known zero- 

("*/, • knowledge protocols cannot be run in a realistic modern computing environment. In this paper 

we present a concurrent zero-knowledge proof systems for all languages in NP. Currently, the 
proof system we present is the only known proof system that retains the zero-knowledge property 
when copies of the proof are allowed to run in an asynchronous environment. Our proof system 
has 0(log k) rounds (for a security parameter k), which is almost optimal, as it is shown in B 
that black-box concurrent zero-knowledge requires f2(logfc) rounds. 

Canetti, Goldreich, Goldwasser and Micali introduced the notion of resettable zero- knowledge, 
and modified an earlier version of our proof system to obtain the first resettable zero-knowledge 
proof system. This protocol requires k e ^ rounds. We note that their technique also applies 
to our current proof system, yielding a resettable zero-knowledge proof for NP with (9(log k) 

t^- ' rounds. 

O' 



1 Introduction 



Zero-knowledge proof systems, introduced by Goldwasser Micali and Rackoff | |21|] , are efficient 
interactive proofs that yield no knowledge but the validity of the proven assertion. These proofs 
have proven important tools for a variety of cryptographic applications. However, the original 
definition of zero-knowledge considers security only in a restricted scenario in which the prover 
and the verifier execute one instance of the proof disconnected from the rest of the computing 
environment. 

In recent years, several papers have studied the affect of a modern computing environment on the 
security of zero-knowledge. In particular, many computers today are connected through networks 
in which connections are maintained in parallel asynchronous sessions. It would be common to find 
several connections (such as FTP, Telnet, An internet browser, etc.) running together on a single 
workstation. Can zero-knowledge protocols be trusted in such an environment? 
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1.1 Previous work 

Composing zero- knowledge proofs in asynchronous environment was first mentioned by Feige [11], 
and first explored in a rigorous setting by Dwork, Naor, and Sahai pj. Dwork, Naor and Sahai 
denoted zero-knowledge protocols that are robust to asynchronous composition concurrent zero- 
knowledge protocols. They observed that several known zero-knowledge proofs, with a straight- 
forward adaptation of their original simulation to the asynchronous environment, may cause the 
simulator to work exponential time. Thus, it seems that the zero-knowledge property does not 
necessarily carry over to the asynchronous setting. 

Kilian, Petrank, and Rackoff [24] gave the first lower bound for concurrent zero-knowledge, 



showing that any language that has a 4-rounds concurrent (black-box) zero-knowledge interactive 
proof or argument is in BPP. Thus, a large class of known zero-knowledge interactive proofs and 
arguments for non-trivial languages do not remain zero-knowledge in an asynchronous environment. 
Rosen [^] has improved this lower bound from from 4 rounds to 7, and Canetti, Kilian, Petrank 
and Rosen have recently improved the lower bound substantially showing that concurrent black-box 
zero-knowledge proof systems for non-trivial languages require fi(logfc) rounds. A natural question 
is whether there exists a fully asynchronous (concurrent) zero-knowledge proof for NP. 

1.2 This work 

In this paper, we exhibit the first (and currently the only known) concurrent (black-box) zero- 
knowledge interactive proof for any language in NP. Our proof system has cj(log 2 k) rounds, where 
k is the security parameter. Namely, the running time of all efficient parties is bounded by a 
polynomial in k, and so is the number of copies of the proof that may be run concurrently. Saying 
that the number of rounds is a; (log k) rounds we mean that the number of rounds may be set to 
h(k) • (log k), for any function h : M — > M that cannot be bounded by any constant. 

The concurrent zero-knowledge interactive proof for NP that we present relies on the exis- 
tence of secure bit commitment schemes with statistical binding and bit commitment schemes with 
statistical secrecy (see Section ^2] below). Using ]25| the first can be efficiently based on any 
pseudo-random generator (and thus on any one-way function) , and using ]l[ [2f], Q , the latter can 
be efficiently based on the existence of collision-intractable hash functions. Our proof system may 
be run by an efficient prover that is given the witness for the (NP) assertion in the input. 

Finally, the proof system we present is a family of proofs systems. It is parameterized by the 
number of rounds. The proof as presented may be used with any number of rounds (above some 
required constant). The analysis we provide shows that it is concurrent zero-knowledge when the 
number of rounds is set to u>(log k). By the lower bound, we know that if we set the number of 
rounds too low, then the proof system does not remain concurrent zero-knowledge. Possibly, the 
same proof system remains zero-knowledge even if the number of rounds is set to O(logn), but we 
do not know how to show it. This is an interesting open question. 

1.2.1 Resettable zero-knowledge 

Finally, we note that the techniques in p] apply to our new protocol. Thus, our concurrent zero- 
knowledge interactive proof can be modified to be made resettable zero-knowledge. Resettable zero- 
knowledge proofs were presented by Canetti, Goldreich, Goldwasser and Micali Q. Such proofs are 
zero-knowledge proofs that on top of being concurrent, maintain zero-knowledge properties when 
the verifier is allowed to run the prover repeatedly on a fixed (yet, randomly chosen) random tape. 
The practical motivation behind such robustness is a use of zero-knowledge in smartcards, where 
the prover (the card) can be reset by the verifier to run repeatedly without access to additional 
random coin tosses. It is assumed that the actual random tape of the card is hidden from the 
verifier, and it is shown in H how this hidden randomness can be used to allow such robustness of 
a zero-knowledge proof. 



Canetti, Goldreich, Goldwasser and Micali modified an earlier version of our proof system 
to obtain the first resettable zero-knowledge proof system. This protocol requires k 9 ^ 1 ' rounds. 
We note that their technique also applies to our current proof system, yielding a resettable zero- 
knowledge proof for NP with 0(log k) rounds. Previously, there was no sub-polynomial resettable 
zero-knowledge proof in a general asynchronous environment. We remark that as with concurrent 
zero-knowledge, if one makes set-up assumptions, then one may get more efficient proofs. For 
example, in the public key model there exist more efficient resettable zero-knowledge proofs, see @. 



The definition of resettable zero-knowledge and related issues appear in Section 8.1 below. For 
a more detailed discussion, motivation, and definitions the reader is referred to [||. 

1.3 In light of the lower bound 

Several works have overcome the difficulty of the asynchronous setting by using some compromises. 
For example, compromising the strength of zero-knowledge security, introducing witness indistin- 



guishability [14], or putting limits on the asynchronisity of the system (a.k.a timing assumptions) 
[]|, [l(], [|], or by making some set-up assumptions on the environment (such as a public key infras- 
tructure) |], ||]. 

1.4 Terminology 

Some words on the terminology we are using. By zero-knowledge we mean computational zero- 
knowledge, i.e., the distribution output by the simulation is polynomial-time indistinguishable 
from the distribution of the views of the verifier in the original interaction. (See definitions in 



Section 2.1 below.) Our proof is black-box zero-knowledge (see Section |2.4| below). The proof will 
be perfectly sound, i.e., we will construct an interactive proof, yet it will be possible to run the 
prover in polynomial time given a witness to the NP assertion that the prover is making. 

1.5 Guide to the paper 

In Section ^ we present some definitions and the tools we are using. In Section |3] we state our 
results. In Section |I] we present the concurrent zero-knowledge interactive proof for NP. In Section 
we provide a simulator for the interaction between the prover and any (adversarial) verifier. In 
Section we analyze the simulator with respect to a static schedule. Namely, the schedule may be 
the worst possible, but it is not modified during the rewinds of the simulator. In Section |7| we show 
that the simulator works as well also with respect to schedules that change dynamically during the 
simulation. Thus, our proof system is concurrent zero-knowledge. Finally, in Section ||, we discuss 
our protocol in the resettable zero-knowledge model. 

2 Preliminaries 

In this section we go over the definitions and the tools we are using. We postpone the definitions 
and discussion of resettable zero-knowledge to Section ^. 

2.1 Zero-knowledge proofs 

Let us recall the concept of interactive proofs, as presented by [[21]]. For formal definitions and 



motivating discussions the reader is referred to [21]. 



Definition 2.1 A protocol between a (computationally unbounded) prover P and a (probabilistic 
polynomial-time) verifier V constitutes an interactive proof for a language L if there exists a negligible 
fraction e such that 



• Completeness: If x E L then 

Pv[(P,V)(x) accepts] > l-e(|a?|) 

• Soundness: If x $. L then for any prover P* 

Pr[(P*,V)(x) accepts] < e(|s|) 

Brassard, Chaum, and Crepeau ||] suggested a modification of interactive proofs called arguments 
in which the prover is also polynomial time bounded. Thus, the soundness property is modified to 
be guaranteed only for probabilistic polynomial time provers P*. 

Let (P, V){x) denote the random variable that represents V's view of the interaction with P on 
common input x. The view contains the verifier's random tape as well as the sequence of messages 
exchanged between the parties. 

We briefly recall the definition of black-box zero- knowledge [21, [27], [17], pC[| . The reader is 
referred to |E0| for more details and motivation. 



Definition 2.2 A protocol (P, V) is computational zero-knowledge (resp., statistical zero-knowledge,) 
over a language L, if there exists an oracle probabilistic polynomial time machine S (simulator) such 
that for any polynomial time verifier V* and for every x £ L, the distribution of the random variable 
S (x) is polynomially indistinguishable from the distribution of the random variable (P,V*)(x) 
(resp., the statistical difference between M(x) and (P,V)(x) is a negligible function in \x\). 

In this paper, we concentrate on computational zero-knowledge. In the sequel we will say zero- 
knowledge meaning computational zero-knowledge. 

2.2 Bit commitments 

We include a short and informal presentation of commitment schemes. For more details and 



motivation, see [15]. A commitment scheme involves two parties: The sender and the receiver. 
These two parties are involved in a protocol which contains two phases. In the first phase the 
sender commits to a bit, and in the second phase it reveals it. A useful intuition to keep in mind is 
the "envelope implementation" of bit commitment. In this implementation, the sender writes a bit 
on a piece of paper, puts it in an envelope and gives the envelope to the receiver. In a second (later) 
phase, the reveal phase, the receiver opens the envelope to discover the bit that was committed on. 
In the actual digital protocol, we cannot use envelopes, but the goal of the cryptographic machinery 
used, is to simulate this process. 

More formally, a commitment scheme consists of two phases. First comes the commit phase 
and then we have the reveal phase. We make two security requirements which (loosely speaking) 
are: 

Secrecy: At the end of the commit phase, the receiver has no knowledge about the value committed 
upon. 

Binding property: It is infeasible for the sender to pass the commit phase successfully and still 
have two different values which it may reveal successfully in the reveal phase. 

Various implementations of commitment schemes are known, each has its advantages in terms of 
security (i.e., binding for the receiver and secrecy for the receiver), the assumed power of the two 
parties etc. 

Two-round commitment schemes with perfect secrecy can be constructed from any collection 
of claw-free permutations; see |i~5]| . It is shown in Q how to commit to bits with statistical 
security, based on the intractability of certain number-theoretic problems. Damgard, Pedersen 



and Pfitzmann |7J give a protocol for efficiently committing to and revealing strings of bits with 
statistical security, relying only on the existence of collision-intractable hash functions. This scheme 
is quite practical and we adopt it for the verifiers in our protocol. For the prover, we use a 
commitment scheme whose binding is information theoretic and security is computational. Such 



schemes can be constructed from any one-way function, see [25]. For simplicity, we simply speak 
of committing to and revealing bits when referring to the protocols of |7J] for the verifier and ]2J| 
for the prover. 

The schemes we use have the property that the receiver chooses some random string in the 
beginning which is later used for the commitments. It is a property of these schemes that with high 
probability the random choice is "good" in the sense that a polynomial number of commitments 
can be done with the same random choice without compromising the security of the commitment 
scheme. This will be used for the resettable interactive proof in Section ||. For all protocols, we 
need to say that the properties of the commitment schemes hold in the concurrent setting. 

Claim 2.3 (Robustness of bit commitment schemes to a concurrent setting): 

1. The binding property of any bit commitment scheme holds in the concurrent setting. 

2. If the committer commits only on strings chosen uniformly at random from {0, 1} , then the 
secrecy property of the commitment scheme holds also in the concurrent setting. 

Proof: By definition, the binding property must be robust to asynchronous composition. Oth- 
erwise, the committer may play a mental game in which his real stand-alone commitment is part 
of an asynchronous game which he simulates, and then defeat the binding property in the normal 
stand-alone world. 

As for the secrecy, a similar argument may be more complicated, since the receiver cannot 
simulate the behavior of the committer. Specifically, the committer has some information that 
the receiver does not have: the value of the committed string, which may be used in the other 
commitments. However, in our case, the committer commits only on uniformly chosen random 
strings. Thus, if the committer follows the protocol, then the receiver is able to simulate the rest 
of the environment and the above argument holds for secrecy as well. □ 

In the protocol we present the committers always commit on uniformly chosen random strings in 
{0, 1} . Thus, the commitment scheme is secure in the concurrent setting. 

2.3 Witness Indistinguishability 



Witness indistinguishable proofs were presented in [14|. The motivation was to provide a crypto- 
graphic mechanism whose notion of security is similar though weaker than zero-knowledge, it is 
meaningful and useful for cryptographic protocols, and the security is preserved in an asynchronous 
composition. A witness indistinguishable proof is a proof for a language in NP such that the prover 
is using some witness to convince the verifier that the input is in the language, yet, the view of 
the verifier in case the prover uses witness w\ or witness u>2 is polynomial time indistinguishable. 
Thus, the verifier gets no knowledge on which witness was used in the proof. The formal definition 



follows. For further discussion and motivation the reader is referred to 14]. 

We say that a relation R is polynomial time if there exists a machine that given (x, w) works 
in polynomial time in |x| and determines whether (x,y) € R. For any NP language there exists a 
polynomial time relation Rl such that L can be described as L = {x : By, Ri(x,y)}. 

Definition 2.4 A proof system (P, V) is witness indistinguishable over a polynomial time relation 
R is for any V' , any large enough x, any u>i,u>2 such that (x,w\) G R and (x,u>2) € R, and 
for any auxiliary input y for V ' , the view of V' in the interaction with P(x,w\) is polynomially 
indistinguishable from the view ofV in the interaction with P(x,W2). 



It is shown in |T^] that witness indistinguishability is preserved with asynchronous composition 
of proofs. More precisely, if a proof is auxiliary- input witness indistinguishable and if the prover 
can run in polynomial time given the witness, then asynchronous (concurrent) composition of such 
proofs remains auxiliary- input witness indistinguishable (with efficient provers). See Jl4] , p"H f° r 
more details. Note that any (auxiliary-input) zero-knowledge proof (even one that is not concurrent) 
is also (auxiliary-input) witness indistinguishable. In our proof system, we employ a constant round 
(auxiliary-input) zero-knowledge proof for the languages in NP in which the prover has an efficient 
procedure when given a witness to the NP-assertion such as in [|l6|. It follows that this proof is 
also (auxiliary-input) witness indistinguishable. Furthermore, since such witness indistinguishable 
proofs are also concurrent witness indistinguishable proof, we get that the sub-proof we employ is 
concurrent witness indistinguishable. 

2.4 Blackbox simulation 



The initial definition of zero- knowledge [20| requires that for any probabilistic polynomial time 
verifier V, a simulator S v exists that simulates V's view. Oren |?7j proposes a seemingly stronger, 
"better behaved" notion of zero- knowledge, known as black-box zero- knowledge. The basic idea 
behind black box zero-knowledge is that instead of having a new simulator S v for each possible 
verifier, we have a single probabilistic polynomial time simulator S that interacts with each possible 
V . Furthermore, S is not allowed to examine the internals of V, but must simply look at V's 
input/output behavior. That is, it can have conversations with V and use these conversations to 
generate a simulation of V"'s view that is computationally indistinguishable from V"'s view of its 
interaction with P. 

At first glance, the limitations on S may seem to force S to be as powerful as a prover. However, 
S has important advantages over a prover P, allowing it to perform simulations in probabilistic 
polynomial time. First, it may set V's coin tosses as it wishes, and even run V on different sets 
of coin tosses. More importantly, S may conceptually "back up" V to an earlier point in the 
conversation, and then send different messages. This ability derives from S's control of V's coin 
tosses; since V otherwise operates deterministically, S can rerun it from the beginning, exploring 
different directions of the conversation by trying various messages. 

Indeed, all known proofs of zero-knowledge construct black-box simulations. There is no way 
known to make use of a verifier's internal state, nor to customize simulators based on the description 
of V other than by using it as a black box.[] Thus, given the current state of the art, an impossibility 
result for black-box zero-knowledge seems to preclude a positive result for the older definitions of 
zero-knowledge . 

2.5 Concurrent zero-knowledge 

Informally, we consider a proof system that has many copies running. Each of them consists of 
a prover and a verifier. We require that the provers do not cooperate. This can be also thought 
of as one prover with many sessions, but the behavior of the prover in any of the proof does not 
depend only on the current proof and not on the other copies of the proof. (This complicates the 
construction of the proof system, since there is no central control that checks whether the verifiers 
are trying to cheat, or that tries to coordinate the timing of various copies of the proof.) On the 
other hand, we allow the verifiers to coordinate their strategies and information. Following ||, 
we consider a setting in which a polynomial time adversary controls many verifiers simultaneously. 
The adversary A takes as input a partial conversation transcript of a prover interacting with several 
verifiers concurrently, where the transcript includes the local times on the prover's clock when each 
message was sent or received by the prover. The output of A will be a tuples of the form (V,a,t), 

x As one slight exception, |E2] proves security against space-bounded verifiers by considering the internal state of 
the verifiers. However, these techniques do not seem applicable to more standard classes of verifiers. 



indicating that P receives message a from a verifier V at time t on P's local clock. The adversary 
may either output a new tuple as above, or wait for P to output its next message to one of the 
verifiers. The time that is written by the adversary in the tuple, must be greater than all times 
previously used in the system (by messages sent to P or by P). The view of the adversary on 
input x in such an interaction (including all messages and times, and the verifiers random tapes) is 
denoted (P, A)(x). The following definition formalizes the above using the black-box formulation. 
We denote by (P, A)(x) the distribution on the view of A in its interaction with P. 

Definition 2.5 We say that an interactive proof (or argument) system (P, V) for a language L 
is (computational) concurrent zero-knowledge if there exists a probabilistic polynomial time oracle 
machine S (the simulator) such that for any probabilistic polynomial time adversary A, the distri- 
butions (P,A)(x) and S (x) are computational indistinguishable over the strings that belong to the 
language L. 

In what follows, we will usually refer to the adversary A as the adversarial verifier V* or just the 
verifier V*. 

Simplifications: 

To simplify the analysis, we will only care about the order of the messages sent in the interaction 
and not about the delays between messages. To make the output of the simulator contain the 
delays dictated by the verifier, our simulator may write the output with the required delays on a 
working tape (instead of actually writing to the output tape) and after the order of messages and 
their delays has been determined and written (by the simulator we describe in this paper), the 
simulator may run a final stage in which it outputs the messages written on the working tape, in 
the same order and while inserting the appropriate delays between the messages. 

We further simplify the analysis by assuming that the prover responds immediately and with 
no delay to the verifier's messages. Of course, in real life, the adversarial verifier may insert a few 
quick messages before the prover outputs his message. However, this has no effect on our proof. 
The rewinding strategy should be modified to consider only verifier messages. Two points should 
be noted: the simulator may be easily adapted to output the prover's message at times dictated by 
the verifier rather than immediately. The running time remains polynomial. The probability that 
the simulator is able to finish the simulation process after "solving" all protocols (see Section g 
below) does not change. Note that within one protocol this changes nothing. The order of messages 
remain the same and cannot be changed within one protocol. 

2.6 The complexity parameters 

In this paper, we simplify the discussion by using a single security parameter k. Our proof has 
w(log k) rounds and the security is preserved with a polynomial (in k) number of concurrent proofs. 
It is possible to separate the number k of allowed concurrent proofs from the security parameter. If 
we know that the number of proofs to be run concurrently is substantially smaller than the security 
parameter, then the number of rounds relates (poly-logarithmically) to the number of possible 
proofs (and not length of the input or the security parameter). 

3 Main result 

Our main result is the existence of poly-logarithmic round concurrent (and black box) zero- 
knowledge interactive proof for NP. This result builds on the following assumptions. 

Cryptographic Assumptions: We assume the existence of two rounds commitment schemes with 
statistical security and the existence of two rounds commitment schemes with statistical binding. 



Both assumptions are implied by the existence of a family of claw-free permutation pairs (see 



Section 2.2) 



Let us state our main theorem given the above assumption. 

Theorem 3.1 Assume the above cryptographic assumptions. Let k be a complexity parameter 
bounding the size of the input. The verifier is polynomial time in k, and the concurrent proof may 
contain a polynomial (in k) number of proof s concurrently. Then for any function t(-) asymptotically 
greater than log k, i.e., t{k) = a; (log k), there exists a t{k)-round zero-knowledge interactive proof 
for all languages in NP which is: computational, black-box, and concurrent. 

This theorem is proven in Sections 0L 0, B, and ffi. First we present the protocol, next we present the 
simulator, and last, we analyze the simulator. Note that the proof transforms any round efficient 
zero-knowledge interactive proof in which the prover can be implemented in polynomial time when 
given access to a witness to the NP theorem proven, into a concurrent zero-knowledge interactive 
proof. 

For resettable zero-knowledge, the construction takes as a starting point the round-efficient 
proof of Goldreich and Kahan |H| and uses its specific structure. The theorem about round- 
efficient resettable zero-knowledge is proven in Section [8f 

Theorem 3.2 Assume the above cryptographic assumptions. Let k be a complexity parameter 
bounding the size of the input. The verifier is polynomial time in k, and thus, may initiate at most 
a polynomial number (in k) of incarnations of the prover. Then for any function i(-) asymptotically 
greater than log k, i.e., t(k) = a; (log k), there exists a zero-knowledge argument for all languages 
in NP which is: computational, black-box, and resettable. 

4 The zero-knowledge proof system 

Our concurrent zero-knowledge interactive proof system follows the ideas presented by Feige, 
Lapidot and Shamir fll2| . On an input theorem T, the proof consists of a proof-preamble of 
2m = a; (log k) rounds and a proof body being a "standard" constant round auxiliary- input zero- 
knowledge proof for a modified NP theorem T' . The parameter m determines the round complexity 
of the proof system. Our analysis shows that the proof system is concurrent zero-knowledge when 
m is set to any function m = a; (log k), where k is the security parameter. In the proof-body one 
may use any round-efficient auxiliary-input zero-knowledge proof for NP. The proof system has to 
be of negligible error, of round complexity smaller than m, and in which the prover can run in 
polynomial time given a witness to the NP theorem T' that it must prove. All known constant 
round protocol such as [13, ^, It] will do. All these (auxiliary-input) zero- knowledge proofs are also 



(auxiliary-input) witness indistinguishable, which is enough for us. Feige and Shamir showed that 
witness indistinguishability is preserved in this case also in the asynchronous setting [O]. Note 
that the round complexity of the resulting proof system is 0(m), and our proof holds when m is 
set to any function satisfying m = w(log k). 

Let us concentrate now on the preamble, which is the main tool in transforming a regular zero- 
knowledge proof into a concurrent one. Let T be the NP statement that the original prover would 
like to prove. We use a preamble with 1m rounds to start the proof. In this preamble, P and V 
each picks m strings in {0, l} k denoted pi,P2, ■ ■ ■ ,Pm and v±, t>2, • • • , v m respectively. The prover 
P then proves that either T is true or for some i, 1 < i < m, Vi = p^. We denote this modified 
theorem T". For each i, 1 < % < m, P will have to determine pi before Vi is revealed. Thus, this 
preamble will not give P a meaningful advantage in proving the theorem. However, the simulator 
will be able to learn V{, and then rewind the proof and set pi = i>j. Thus, the simulator will have a 
witness to the modified theorem T', and it may act as a real prover in the body of the proof. The 
full algorithm of the simulator is specified in Section |6| below. 

The concurrent zero-knowledge argument for an input theorem T goes as follows: 
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ot that 1 is true or di s.t. Vi = pi. 

In words: The verifier begins by committing to all its strings v±,. . . ,v n . After that, the prover 
commits to p% and then the verifier reveals v% for each i, i = 1, 2, . . . , m. Finally, the prover gives a 
zero-knowledge proof that T is true or there exists an i s.t. vi = Pi- 

If the verifier fails to open one of its commitments properly, then the prover immediately aborts 
the proof. Ignoring the negligible chance that the commitments of the verifier turn out to fail the 
binding property, the strings v i, . . . , v m are fixed after the first round for the rest of the proof. Note 
that Vi is revealed only after the prover P commits on the value of pi. Thus, if the security of the 
bit commitment holds, then P can fix pi = V{ with a negligible probability. Furthermore, ignoring 
the negligible chance that the commitment of the prover is not secure, the verifier does not learn 
the value of any of the p^s so he can never tell whether it holds that pi = V{ for some 1 < i < m. 

Denote the probability that the prover fails to prove a true statement by the completeness 
error and the probability that the verifier accepts a false statement (when the prover uses an 
arbitrary strategy within its computational limits) the soundness error. We claim that these error 
probabilities are only slightly changed by the modification made to the proof. 

Claim 4.1 If the original proof has soundness error e s and completeness error e c then the modified 
proof has completeness error at most e c , and soundness error at most e s + e for some negligible (in 
the security parameter k) e. 

Proof: It is easy to see that the completeness property is not harmed by the modification. Re- 
garding soundness, the additional advantage a prover P* may get over the original proof is the 
possibility to set pi = Vi for one of the rounds. We need to show that that cannot happen too often. 
Here, the security of the verifier's bit commitment is not enough. In order to make sure that the 
prover cannot cheat, we must require that the verifier's commitment is non-malleable Q. In order 
to cheat, the prover does not need to know committed bit. It just needs to produce a commit- 
ment such that after the verifier opens its commitment to a certain string, the prover may open its 
commitment to the same string. Preventing this is exactly the issue in the non-malleability study, 
and one may use non-malleable commitment schemes as in [|j to make sure that the soundness 
property is preserved. However, it is not known how to achieve non-malleability in a constant round 
commitment schemes. Instead, we use the following trick to obtain non-malleability and keep the 
scheme efficient. The verifier commits using statistical secrecy. Thus, the committed value of the 
prover do not depend on the committed value (but with negligible probability). Next, the prover 
commits with an unconditionally binding scheme. Thus, the committed value binds the prover 
before it gets to see the verifier opening its commitment. Using these two schemes, the soundness 
holds. □ 

We remark that the problem is not symmetric: we do not need non-malleable commitment 
schemes for the prover. The reason for this asymmetry is that the prover never opens its com- 
mitments, so the verifier can only act upon the knowledge it gets from the commit stage. This 
information gives the verifier no advantage by the security property of the commitment scheme. 



5 The simulator 

We provide a black-box simulator to the above proof system (black-box simulation is discussed in 



Section 2.4). The adversarial verifier V* is given as a black box and the simulator interacts with it. 
This interaction will be used by the simulator to obtain a witness to the modified theorem T". We 
assume that by the time the simulator gets to the body of the proof, it has such a witness. Thus, 
when simulating the main body, the simulator acts as the prover (which is an efficient algorithm 
given a witness to the NP theorem that has to be proven). 

The simulator will succeed in "guessing" one of the v^s by rewinding steps in the preamble. 
(Recall that the real prover cannot rewind the verifier, and cannot get this advantage.) In particular, 
the simulator will rewind the verifier at several points during their interaction. If the verifier reveals 
Vi before a rewind, and the simulator rewinds the verifier back far enough, it may change the value 
of pi and commit on pi = v% ■ Since the verifier is committed to the value Vi (as of the first round 
of the interaction), then unless the rewind goes beyond the first round of the particular proof, 
the simulator need not worry that v^ may change after it sets the commitment on pi. Once the 
simulator has ensured that for some round i pi = Vi in the preamble of a proof II, we say that it has 
solved the proof II. It can complete the rest of the simulation of II without further rewinding, by 
choosing pj arbitrarily for any j ^ i and by playing the real prover in the main body of the proof 
IT (recall that after solving a proof, it has a witness to the theorem T" that has to be proven). We 
stress that the rest of the simulation requires no further rewinding. A key feature of this protocol 
is that any rewind in any of the m rounds of the preamble suffices to solve the proof. Of course, if 
during a rewind the simulator is able to solve more than one proof by setting pj's of other proofs 
to values of Vj's that were discovered during the first run of rewound interval, then the simulator 
does that. It always solves the maximum number of proofs it can in a rewind. 

Note that rewinding one step in one proof may render irrelevant the simulation of steps in other 
proofs that took place in between those steps. Thus, choosing a step to rewind according to the 
need to solve a proof II is dangerous. It may lead the simulation to run an exponentially many 



steps as noted in Q and proved for a set of protocols in [24|. We employ a different strategy of 
rewinding. We specify a fixed rewinding schedule regardless of the history of the interaction and 
the scheduling of the proofs so far. Running this rewinding schedule will guarantee a polynomial 
amount of work, so that the simulation is polynomial time. Nevertheless, whatever schedule of 
proofs the adversarial verifier-scheduler may use, the simulation is guaranteed to solve all proofs 
during their preamble with high probability. 

Whenever the simulator rewinds the verifier, the second run of the rewind is the one that the 
simulator uses to continue the interaction. The first run is only used to get information and is 
then abandoned. The output is composed of the last full run, which is composed of second runs of 
relevant rewinds. 

One of the most problematic issues in the design of the simulator is the following. During the 
run of the simulator, the adversarial verifier V* may choose to send inappropriate messages. For 
example, it may choose not to reveal a value Vi that it has committed on in the first round. The 
run of the simulator is composed of rewinds: it executes an interaction with the verifier V*, then it 
rewinds V* and makes a second run, in which it may set the pj's according to information on v^s 
obtained in the first run. When the adversarial verifier V* sends an inappropriate message for a 
proof II the simulator aborts sending messages to V* for this proof II (as the normal prover would 
have done). If that happens in the first run of a rewind it bears a bad affect: the simulator cannot 
solve the proof II after rewinding since it did not get to see the string Uj. However, if the verifier V* 
sends a bad message in the second run of a rewound interval, then the proof II is considered solved: 
the real prover aborts the interaction with the verifier in II, and so does the simulator. This proof 
does not require solving since the body of the proof is not executed. 
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5.1 The adversarial scheduler uses round slots 

We begin by simplifying our view of the adversarial schedule. Recall that we are running k pream- 



bles, each with 2m rounds. Like discussed in Section 2.5, we assume, w.l.o.g., that the real prover 
(and so also the simulator) always answers immediately. Also, we do not care about delays imposed 
by the verifier. We only care about the order of the various rounds in the full interaction. Thus, 
we get that the adversarial verifier V* may schedule an overall number of k ■ m pairs of rounds in 
the preambles. When specifying the rewinding strategy, we are only interested in the schedule of 
the preambles. We do not care how the bodies of the proofs are scheduled and whether they are 
rewound. We will never need to rewind the bodies: the simulator will behave like the real prover 
in the bodies, however, bodies may be rewound due to requirements on preambles of other proofs 
that run concurrently. 

Let us make a remark about the possibility that the adversarial verifier schedules messages in 
parallel. In the sequel, we do not explicitly consider parallel pairs of rounds. If the adversary sends 
more than one verifier's message to the prover in parallel, then the prover answers all of them in 
parallel. Thus, we get less then k ■ m pairs of actual rounds run. In the analysis we will analyze the 
probability that "something bad" happens within a specific proof, ignoring the rest of the proofs 
that run with it. Thus, it will not matter if this proof is run in parallel to other proofs. Note 
that rounds of the same proof cannot run in parallel, since the order within a proof is guaranteed 
to be preserved in the concurrent setting. Parallel repetitions will reduce the number of pairs of 
rounds and that may only make the simulation more efficient. We will not explicitly discuss parallel 
repetitions in the sequel. 

For simplicity, from now on we will abuse the term round to denote a pair of rounds. Namely, 
in what follows, a round consists of a message of the verifier followed by an immediate response by 
the prover. 

To summarize, we have reduced our view of the scheduled proofs to the adversarial verifier V* 
scheduling km preamble rounds, with the only constraint that within a proof the order of rounds 
is preserved. We think of this schedule as assigning rounds of the various (preambles of) proofs to 
km "slots" of rounds. We consider the km slots by their order in time, and specify the rewinding 
strategy with respect to these slots, regardless of how the adversary assigns actual proof rounds to 
these slots. For example, we may let the simulator rewind the verifier to the first slot after running 
the second slot. More generally, After reading the verifier's message in any of the round-slots, the 
simulator may rewind the simulation (and the verifier) to any previous round-slot of the simulation. 
We will specify rewinding in the following manner. A rewind (i <— j), for 1 < i < j < km, means 
that after reading the verifier's message of round slot j, the simulator rewinds the verifier back 
to just before the prover message in round slot i. When running the rewound interval the second 
time, the simulator may change its message in round slot i as well as any other message it made in 
the round slots between i and j — 1. 

5.2 Specification of the rewind timing 

We use recursion to specify the rewinding timing. At the top level of the recursion, the simulator 
is running all the round slots l..mk. The simulator rewinds the first half of the round slots and 
then the second half of these round slots (regardless of which rounds of which proofs appear in 
the round-slots). It then "feeds" each of these mk/2 round slots to the recursion. Namely, at the 
second level of the recursion, each of the halves is split into halves and each quarter is rewound. 
In case the number of round slots is odd, we let the first half contain \mkj2\ round slots and the 
second half contain [mk/2\ round slots. Finally, at the bottom of the recursion there is an interval 
containing one round slot. There is no need to rewind one round slot (yet an interval of two round 
slots is rewound). 

Let us explain this rewinding schedule with some examples. Suppose the number of round slots, 
mk, is 4. Then the round slots are run by the simulator in the following order: 1, 2, 1, 2, 3, 4, 3, 
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4. Using the rewinding syntax with the above sequence, we may write: (1 «— 2), (3 <— 4). When 
mk = 8, the round slots have the following order: 1, 2, 1, 2, 3, 4, 3, 4, 1, 2, 1, 2, 3, 4, 3, 4, 5, 6, 

5, 6, 7, 8, 7, 8, 5, 6, 5, 6, 7, 8, 7, 8. Using the rewinding syntax with the above sequence, we may 
write: (1 <- 2), (3 <- 4), (1 <- 4), (1 <- 2), (3 «- 4), (5 <- 6), (7 <- 8), (5 <- 8), (5 <- 6), (7 <- 8). 

6 Analysis of the simulator with respect to a static schedule 

To simplify the presentation of the analysis, we start in this section by showing that the simulator 
works well for a static schedule. In a static schedule, the adversarial verifier V* chooses the (worst 
possible) schedule for the simulator, but this schedule is fixed and does not change during the 
simulation. In Section [7] below, we extend the argument to the case that the schedule is dynamic 
and may change as a function of the adversary's random coins and the history of the simulation so 
far. 

We first note that the overall number of rounds run in the rewinding recursion, as specified, is 
at most (mk) 2 and thus, the simulator runs in polynomial time. Also, the simulator plays almost 
exactly the role of the prover in the second run of all rewinds (which also include the output of 
the simulation). There are two differences. One is that some of the committed values pi satisfy 
Pi = V{. However, if V's behavior is changed because of this fact in a way that is noticeable in 
polynomial time, then the commitment scheme of the prover are not secure. The other change in 
the protocol is that the simulator uses different witnesses than the prover normally uses in the body 
of the protocol. But that difference is polynomially indistinguishable since the proof body is witness 
indistinguishable (also in the concurrent setting). So V's behavior and view in the simulation is 
polynomial time indistinguishable from its behavior and view when interacting with the real prover 
(both with respect to the content of the messages and to their schedule). To summarize, the output 
of the simulation is indistinguishable from the interactive proof assuming that the simulator solves 
all copies of the proof. 

Our goal is to show that with overwhelming probability the simulator will manage to obtain 
a witness for T' during the simulation of the preamble. We start with some properties of the 
rewinding schedule. We denote the intervals that are rewound rewind intervals. Because of the 
(recursive) manner we defined the rewinding schedule, the rewind intervals are either disjoint or 
contained within each other. So for any two rewind intervals (i <— j) and (k <— £) if i < £ < j, then 
it holds that k must be greater or equal to i. In the above case, in which the rewind interval (k <— £) 
is contained within the rewind interval (i <— j) we will say that the rewind (i <— j) dominates the 
rewind (k <— £). 

Definition 6.1 We say that a rewind (k <— £) dominates the rewind (i «— j) if k < i < j < £. 

We call a run of the simulator against a (black-box) verifier V* good if the simulator solves each 
of the proofs during the preamble and before it gets to simulating the main body of the proof. 
We would like to show that the above rewinding timing lets the simulator get "good" runs with 
overwhelming probability, no matter what schedule is chosen for the messages in the proofs. During 
the simulation, we do not need to rewind bodies of proofs, though, of course rewindings of a proof 
body that happens while rewinding a preamble of another proof does not hurt the simulation. 

A proof II may be solved via a rewind (i <— j) if there are at least two rounds of II appearing 
within the round slots i, i + 1, . . . ,j , and the proof II does not begin or end during the round 
slots i + l,i + 2, . . . ,j. The reason for precluding the first round is that if we rewind past the 
first round, the verifier may pick a new vector v\, . . . , v m and make the information obtained in the 
first run of the rewind useless. The proof is actually solved in such a rewind if the verifier behaves 
"well" (i.e., follows the protocol) in both runs of the rewind interval. In this case, we have two 
consecutive rounds of the proof II: rounds a and a + 1 (2 < a < m — 2) of II within the rewind 
interval. Thus, in the second run of these rounds, the simulator can set p a in the preamble to the 
value v a obtained in the first round and solve the proof. The reason we preclude the first round 
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of the proof II from the rewind interval is that if we rewind past the first round of the proof, then 
V* gets to run its first round again and it may choose new values for vi, . . . , v m . In particular, v a 
may change, and the simulator would not know the new value of v a to set as p a . The reason that 
we require that the preamble does not end before the rewind, i.e., that round m of the proof II is 
not within the rewind interval, is that a proof must be solved before the preamble ends. Else, the 
main body may start, and the simulator will noticeably fail to simulate the proof body, possibly 
causing the verifier to stop cooperating with the rest of the simulation. 

We would like to point out that a rewind may solve the proof in any level of the recursion. If 
there exists a rewind (i <— j) that may solve the proof, and there exists a larger rewind (k <— £) 
that dominates it, then the fact that we rewind (k <— £) does not "ruin" the solution of the proof 
obtained in rewind (i <— j). This is true since in both runs of the rounds £, £ + 1 . . . , k in the 
dominating rewind interval we rewind (i <— j). So even if the rewind (i <— j) happens again and 
again because of dominating rewinds, in each of the runs it may solve the proof again. 

In what follows, we will restrict our attention to the minimal rewinding intervals that may 
solve a proof. If a proof may be solved by a rewind (k <— £), then sometimes it may also be solved 
by several rewinds that dominate (k <— £) just because they dominate it. However, we will be 
interested only in the smallest rewind interval that may solve a proof. Minimality is expressed in 
Conditions (1) and (4) of the following definition. This minimality property will be used to get 
independence between the relevant intervals. 

Definition 6.2 We say that a rewind (k <— £) may solve a proof U if the following four conditions 
hold: 

1. Exactly two rounds of the preamble of II take place during round slots k, k + 1, . . . ,£, 

2. the first round of II takes place at a round slot i < k, 

3. the last round of II takes place at a round slot j > £, and 

4- The first round of II appears in the first half of the rewind interval (k <— £) and the second 
round of II appears in the second half of the rewind interval (k <— £). 

Note that if II has two rounds in the same half of the rewind interval (k <— £), then there exists 
a dominated interval that may solve II. This the ratio behind Part (4) of the definition. We now 
show that many rewinds may solve II. 

Lemma 6.3 For any schedule of k copies of the proof preambles (in the mk round slots), if a 
preamble of a specific proof II completes in round slot £, then there are at least 
rewind intervals that complete by round I and that may solve II. 



log(mfe)+l 



Proof: We first show that there are at least 



log(mfc)+l 

and (4) in Definition 6^ above. We then note that at most two of these intervals may foil Conditions 
(2) or (3), thus the number of rewinds that may solve the proof II is at least lo fr ^,\ +1 — 2 as 
required. Clearly, any relevant interval must end by round £, since the preamble terminates at 
round £. 

Fix a proof II and any schedule of the rounds for all the proofs. We denote a rewind interval 



rewind intervals that satisfy Conditions (1) 

ay foil Co: 

m 
log(mfc)+l 



good if it satisfies Conditions (1) and (4) in Definition ^2 above (with respect to II). Consider 
the rewinds by the height of the recursion. At the top level, i.e., recursion height [log(mfc)], we 
have mk round slots. In these round slots we have m rounds of the proof II. In each recursion 
invocation, all round slots of the current level rewind interval are split into two almostp] equal parts 

2 If the number of round slots is odd, then the left interval has one more round slot than the right interval. 
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and participate in two rewind intervals of a lower recursive level. This splitting goes down the 
recursion until we are left with one or two round slots at recursion level 1. If we consider the 
rounds of the specific proof II as scheduled in the round slots, then there are m rounds scattered 
at the top level, which are split into two in each recursion invocation. The split of these rounds of 
II is not necessarily equal (or even close to equal) , since there may be other rounds of other proofs 
that appear in the (equal) split of the round slots. 

In the following, we claim that if there are r rounds of II in a rewind interval of level h, then 
these rounds participate in at least j^~i good rewind intervals with respect to II. Assigning the 
recursion level h < log(mA;) of the top level, and the number r = m of rounds in the preamble of 



II in the top level, we get the validity of the assertion in Lemma 6.3. 



Claim 6.4 For any schedule of k copies of the proof (in mk round slots), and for any specific proof 
LT. Let r be an integer, 2 < r < m, and let h be an integer such that r < 2 . Suppose there are r 
rounds of a proof U in a rewind interval of recursion level h. Then these rounds participate in at 



least 



h+l 



good rewind intervals with respect to the proof II. 



Proof: We prove the claim by an induction on r. Let r = 2. if the two rounds are split in the 
current recursion invocation, then the current rewind interval is good. Otherwise, the two rounds 
may stay together for several invocations of the recursion and then get split, thus, making a good 
rewind interval at some lower level. Finally, they may stay together until the bottom level, which 
makes the bottom level a good rewind interval with respect to the proof II. Thus, these 2 rounds 
participate in at least 1 good rewind interval, as required. 

Now, suppose that the claim is correct for all 2 < r' < r and let us prove that it holds for r 
rounds. Consider the partitioning of the r rounds of the current rewind interval into two rewind 
intervals when invoking the next recursion. (Recall that each rewind interval is split into two rewind 
intervals.) Denote by r\ the number of rounds that go into the first rewind interval, and by r 2 the 
number of rounds that are assigned into the second rewind interval. We know that r\ + r 2 = r and 
assume w.l.o.g. that r\ <r 2 . We split the analysis into 3 possible cases. 

Case 1: r\ > 2. In this case, we may use the induction hypothesis. The recursion level of the 
two rewind intervals that contain the r\ and r 2 rounds is h — 1. By the induction hypothesis, the 
number of good rewind intervals is at least: 



h 


+ 


>2~ 
h 


> 


>i +r 2 ~ 
h 


> 


r 


h + l 



and we are done with Case 1. 

Case 2: r\ = 1. In this case, we know that r 2 = r — 1 > 2 (since r > 3), thus, we may use 
the induction hypothesis for the second rewind interval. Nothing is guaranteed for the first rewind 
interval to which only one round was assigned. By the induction hypothesis, we get that the number 
of good rewind intervals is at least: 



h 



1 



h 



> 



h+l 



and we are done with Case 2. 

Case 3: r\ = 0. In this case, we cannot use the induction hypothesis, since r 2 = r. Thus, we 
check what may happen to these r rounds as we go down the recursion. These rounds may stay 
together in a single rewind interval only at recursion levels greater than |~log(r)] , since there are at 
most 2 h round slots at a rewind interval of recursion level h! . So there exists a level 2 < h! < h at 
which the rounds r are split into r\ > 1 rounds and r 2 > 1 rounds for the rewind intervals of level 
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h! — 1. By the same argument as in Cases 1 and 2, we get that the number of good intervals that 
these r rounds participate in is at least: 



r 


> 


r 


h' + l 


h+1 



and we are done with Case 3 and with the proof of Claim 6A . □ 

As mentioned above, this also concludes the proof of Lemma 3.3 since for any proof II there 
are m rounds at recursion level [log(mfc)] , and since only two of them may contain the first or last 
round of the preamble. □ 

6.1 Why the rewinding works 

We would like to claim now that the simulator is able to solve each proof during its preamble and 
before it is required to simulate the main body of the proof with high probability. By Lemma 



6.3, for each of the k proofs, there are at least - } — r^—p: — 2 rewind intervals that may solve it. 



log(mfc) 



Of course, it is enough that for each proof there is one rewind that actually solves it during the 
preamble (rather than may solve it). If we have one such rewind for each proof, the simulator can 
properly simulate each proof and all of them together no matter what the schedule is. 

However, it is not always the case that a proof is solved in a rewind that may potentially solve 
it. The reason is that the adversarial verifier V* may sometimes not open the commitment of a 
round of a proof EL If the verifier V* does not open the commitment, then the real prover aborts 
the proof n. In a rewind interval that may solve LT there are exactly two rounds of H (which are 
not the first or last round). Denote the number of these rounds in the proof H by a and a + 1. The 
proof is solved in this rewind unless the following event happens: 

1. the verifier does not reveal the committed value v a in the first run, but 

2. the verifier does reveal the committed value v a in the second run. 

All three other alternatives (i.e., the verifier reveals the committed values in both runs, or does 
not reveal the committed value in both runs, or reveals the committed value only in the first run) 
allow the simulator solve the proof n in this rewind. If the verifier reveals the committed value in 
the first run, then the proof is solved, since the simulator may set the value of its string p a to v a 
that it has learned. If the verifier does not reveal the committed value both in the first and second 
run, then the proof H is also solved, since the prover does not answer any of the following rounds 
of the proof II, and the simulator may easily "simulate" that. 

We stress that the following naive solution would not work here: output an aborted proof if 
either in the first or in the second run V* does not reveal the committed value. This solution is not 
good, since it increases the probability of aborting LT above the probability of aborting LT in the 
real proof. Thus, the simulation may become polynomially distinguishable from the original proof. 

Let us compute the probability that a rewind that may solve the protocol fails to solve it. When 
we solve a proof, the second run is different from the first run. In particular, the value of some 
Pi equals the value of some Vi and the verifier may note that an interval is run the second time 
by noting that some other proof LT' has been solved in this rewind interval. However, the prover 
is using a commitment scheme to secretly commit on the strings p^s in all the proofs. Using the 
secrecy of the commitment scheme, the verifier cannot tell that it has been rewound, so it cannot 
make an effort to abort the first run and behave well on the second run. Therefore, the probability 
that the verifier aborts in the first run is similar to the probability that it aborts in the second 
run of the rewind interval. These two probabilities are equal up to an (additive) negligible fraction 
(representing the probability that the commitment scheme fails). Whatever the probability p that 
V* chooses not to reveal the committed value is, the probability that it does not reveal in the first 
run of a rewind, yet it does reveal in the second run, is p{\ — p + e) < 1/4 + e for some negligible 
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fraction e. In the sequel, we assume that any rewind that may solve the proof indeed solves it with 
probability at least 2/3. 

We go on and compute the probability that the simulation succeeds, i.e., that each proof is 
solved before its preamble terminates. Note that a preamble of a proof II may terminate several 
times, since II may be completely (or partially) rewound several times and in particular, its last 
round of the preamble may be run several times. At the worst case, the preamble of each of the k 
proofs terminates a number of times that equals the overall number of times that a rewind interval 
is executed. This number is at most 2' log ( km '' < 2km, i.e., a polynomial in k. We will show that 
the simulator fails to solve any particular proof with a negligible probability. Thus, it fails to solve 
any of (the polynomial number of) the proofs with negligible probability as well. 

For any proof II, if the preamble of II is completed, then the number of rounds that may solve 

2. Since we set m = w(log 2 k) and since a realistic value of m satisfies 



II is at least a = , — : — -- 
m < k, then this number is 



^(log 2 k) 

a > i 77^ i 1 — T = ^(logfc). 

log(K) + log(m) 

We note now that all rewind intervals that may solve the proofs are disjoint in time. This follows 
since overlapping intervals must contain one another by the definition of the rewinding intervals. 



On the other hand, by the minimality of the intervals (Requirements (1) and (4) of Definition 3.2) 
a rewind that may solve the proof II does not contain another rewind that may solve the proof 
II. Thus all these a rewind intervals are disjoint and the probability that the proof is actually 
solved in any of them is independent and at least 1/3. So for any occurrence of a proof II, the 
probability that the simulator fails to solve it is at most (l/3) a , which is a negligible fraction (in 
k). By the summation bound, the probability that the simulator fails in any of the (polynomially 
many) occurrences of proofs is also negligible. 

7 Extending the analysis for the dynamic schedule 

We now move to the more difficult, yet realistic case, in which the verifier does not fix the schedule 
of the messages in the mk round slots in advance, but may determine which message to schedule 
in the next round slot depending on the history so far and its random coins. Looking back at 
the analysis of the previous section, the problem now is that the rewind intervals in which a proof 
may be solved constitute a random variable. Each time a new rewind interval is started, there is 
a probability that the interval will include two rounds of the proof (which are not the first or last 
round). This probability depends on the random tape of the adversarial verifier, the history so far, 
and the behavior of the prover (or the simulator) during the rewind interval. It is possible that in 
the first run of the rewind interval V* will choose to include two rounds of the proof but in the 
second round it will choose not to. The security of the prover's bit commitment gives us, again, a 
guarantee that the first run and the second run of the rewind have similar behavior. 

As before, we ask ourselves what is the probability that a preamble of a proof II ends without 
the proof being solved by the simulator. At each point of the simulation one or more rewinds may 
start. The simulator solves the proof II during a rewind interval p if the first run of p includes 
exactly two rounds of the proof II that are not the first or the last rounds, and the verifier reveals 
its committed value properly. Let us present the explicit definitions. 



Definition 7.1 (Dynamic analogue of Definition \6.8j :) we say that a run of a rewind p (either 
first or second run) is interesting with respect to a proof H if it includes exactly two rounds of the 
preamble of II that are neither the first nor the last round of the preamble, and each being in a 
different half of the rewind interval. 
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Definition 7.2 We say that a run of a rewind p (either first or second run) is good with respect 
to a proof II if it is interesting and the verifier properly reveals its commitments in the second of 
these two rounds. If a run is not good with respect to II, we call it bad with respect to LT. 

If the first run is good with respect to a proof II, then the proof II is solved (no matter what the 
second run is). For each run of a rewind p, depending on the history so far, there is a probability 
p p , determined by the adversarial verifier, that a run of this rewind is be good with respect to II. 
By the security of the prover's commitment scheme, the probability that the first run is good is 
equal up to an (additive) negligible fraction to the probability that the second run is good. Lemma 



7.3 is similar to Lemma 



Lemma 7.3 In any schedule ofk copies of the proof (in mk round slots), if a preamble of a specific 
proof LT completes in round I, then there are at least lo i™ k \ + i — 2 rewind intervals that completed 
before round £ with a second good run with respect to II. 



Proof: In the same way as in the proof of Lemma 3.5 such number of intervals must exist in any 
transcript that has a completed preamble in it. It remains to recall that the simulation always 
continues with the second run of all previous rewinds. Thus, at any point in the simulation time, 
all rewind intervals that have been finished have been fixed by the second run of the rewind. This 
means that a transcript that has a completed preamble in it must contains at least lo r™ k \ + i — 2 
such rewind intervals and they all contain the second runs of all rewinds. □ 

dcf 



By Lemma 7.3, before a preamble may complete, the history must contain at least a 
logfmAA+i ~~ ^ good second runs. However, for the proof to be completed unsolved, all the 
first runs of all previously completed rewinds must be bad with respect to 11. We will show that 
this happens with negligible probability. 

Lemma 7.4 The probability that there exists a preamble of a proof 11 that ends well during the 
simulation but is not solved is negligible. 

Proof: We show that for any specific copy LT of the proof whose preamble has completed, the 
probability that the preamble ends well, yet 11 remains unsolved is negligible. Since there is a 
polynomial number of proofs and each of the preambles may end a polynomial number of times, 
then we get that the probability that a preamble of any of the proofs remains unsolved when it 
ends is negligible. 

Consider the run of the simulator. At each point of the simulation, one or more rewind intervals 
may start. At each of these points there is some probability p that the run of one of the rewinds 
interval will be good with respect to II. As discussed before, if the commitment scheme that the 
prover uses is secure, then the probability that the first run is good is equal to the probability 
that the second round is good up to an additive negligible fraction. We would like to compute the 
probability that the preamble of the proof instance LT ends well without being solved. By Lemma 



7.3, for any possible schedule of the proof instance II, it must include at least a intervals that were 



good in the second run with respect to LT. By our definition of a good interval, these intervals are 



non-overlapping (Recall the minimality condition of Definition 7.1). 

We may think of the adversarial verifier as running the following stochastic experiment, which 
we denote the sequential experiment. It runs serially through tests (which are the rewinds). For 
the ith test, based on the history so far and its random tape, the adversary chooses a probability 
Pi. (This is the probability that the first run of the interval ends well. The probability that the 
second run ends well is at most pi + £j for some negligible fraction Ej.) Then, with probability 
(1 — Pi)(pi + £i) the adversary wins the test, for some negligible fraction £j. (The first run is bad 
and the second is good.) With probability pi it looses the whole experiment (the first run is good 
and the simulator has solved the proof LT). In this case we say that the adversary dies. Finally, with 
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probability (1 —pi)(l—pi —£%) nothing happens, i.e., the adversary neither wins nor dies (both runs 
are not interesting). The goal of the adversary is to win at least a tests in the experiment without 
dying. The probability that the adversary succeeds in the sequential experiment is an upper bound 
on the probability that the preamble of a proof II ends without being solved. The reason is that 
when a preamble completes without being solved, all first runs must be bad and at least a runs 
must be good. The number of tests run during the sequential experiment is b. In our case b < Irak. 
We now analyze the sequential experiment with parameters a and b. 

Claim 7.5 Let b and a be two positive integers such that a < b and b is bounded by a polynomial 
(in k). Then the probability that the adversary wins the sequential experiment with parameters a 
and b is at most (2/3) a . 

Proof: In the sequential experiment, the adversary chooses a probability pi in each round 1 < i < b. 
In each of the tests, with probability p, the adversary fails the whole experiment. With probability 
(1 — Pi){pi + £i) it wins the ith test, where £j is a negligible fraction (in k). With probability 
(1 — Pi)(l — Pi — £i) nothing happens and we move to the next test. 

We will show that for any £ > 0, the probability that the adversary goes from winning £ tests to 
winning £ + 1 tests without getting killed in between, is at most 2/3, regardless of the choice of the 
probabilities p^s. From that we get that the probability that the adversary wins a tests without 
getting killed is at most (2/3) a . 

Suppose the adversary has won £ tests without getting killed and it is now trying to win one 
more. The adversary chooses probabilities p^s and runs the tests. In each test it either dies, or 
it wins, or nothing happens. Let (3 be the number of rounds remaining before the b tests of the 
experiment end. The probability that the adversary wins one test before it dies and before the 
game ends is: 

W & ^Cfiil-pjXl-pj-eM-il-pJipt + st) (1) 

To show that this probability is less than 2/3 no matter what the choice of the p^s is, we compute 
the probability of a disjoint event. The event that the adversary dies before it wins the £ + 1 test. 
(Note that there is a third disjoint event in which the adversary does not die and does not win 
during the remaining (5 tests.) The probability of the adversary dying before winning is: 

H2 = EfnV-PiKi-Pi-ei)] -pt (2) 

Comparing /xi and fi2, we see that for each term in the summation, all the factors are the same 
but the last. Since the £$'s are negligible (in k) and j3 is bounded by a polynomial (in k), then we 
get that 

Ml - fJ-2 < £ (3) 

for some negligible fraction s. Since \i\ and \ii represent the probabilities of disjoint events, then 
we also get 

Hi + H2 < 1. (4) 

Combining Equations || and [i] we get 

1 e 2 

* " 2+2 < 3 



and we are done with the proof of Claim |7.5| . □ 

To summarize, the probability that the preamble of any proof instance II ends well without 
being solved, is at most f | j . Recall that a = lo „(^.s +1 — 2 = oo{\ogk) (and b < (2mk) 2 ), so we 
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get that the above is a negligible fraction in k. Since we have at most mk instances of any of the k 
proofs, the probability that the preamble of any of these proofs ends well without being solved by 



our simulator is also negligible and we are done with the proof of Lemma 7.4. □ 



Using Lemma 7.4, we get that the simulator fails with negligible probability. Also, as in the static 
case, when the simulator succeeds, it outputs an interaction that is polynomially indistinguishable 
from the real interaction between the adversarial verifier and the real prover. 

8 Resettable zero-knowledge 

In this section, we show how to modify our interactive proof system to make it resettable zero- 
knowledge. We start with the definitions and proceed with the construction. 

8.1 Definitions 

We provide the definitions of resettable zero-knowledge. For more detailed discussion and motiva- 
tion the reader is referred to H. 

Definition 8.1 An interactive proof system (P,V) for a language L is called resettable zero- 
knowledge if for any probabilistic polynomial-time adversary V* there exists a probabilistic poly- 
nomial time simulator M* so that the following two distribution ensembles are computational in- 
distinguishable: let t be a polynomial t = poly{n), let each distribution be indexed by a sequence of 
common inputs xi,...,Xt € LC\ {0, l} n and a corresponding sequence of prover 's auxiliary-inputs 

yi,---,yt- 

Distribution 1 is defined by the following random process which depends on P and V* : 

1. Randomly select and fix t random tapes 0i, . . . , 0%, for P, resulting in deterministic strategies 
p( l J) = P Xi y i i defined by Pxi,yi,0i{oc) being the output of P on input X{ auxiliary yi, random 
tape 0i and a history so far a, for all i,j 6 {1, . . . , t}. Each p( l >i> is called an incarnation of 
P. 

2. Machine V* is allowed to run polynomially many sessions with the Pw) 's. V* is allowed to 
send arbitrary messages to each of the of the Pw) and obtain the responses of P^> to such 
messages. 

Distribution 2: the output of M*(x\, . . . ,xt). 

We say that an interactive proof is black-box resettable zero-knowledge if there is a single universal 
simulator that can simulate an adversarial verifier V* by using V* as a black box. 

As will be shown in Section |8.2| , the interactive proof that we present in this paper can be easily 
modified into an interactive proof that has a specific structure denoted an admissible proof system 
in |g]. Canetti et. al. provide an easy way to prove that an admissible interactive proof is resettable 
zero-knowledge. Intuitively, an admissible proof is a proof in which the verifier restricts itself in the 
beginning of the protocol to its answers in the rest of the protocol. In our modified proof (described 
in Section |8.2| below), the verifier makes a commitment on all its future messages. In the rest of 
the proof system it sends its messages by revealing the committed values from the beginning of the 
proof. The prover aborts in case the verifier fails to reveal one of its strings appropriately. 

The formal definition of admissible proofs partitions the consideration of the verifier commit- 
ments and the rest of the proof, by considering two independent prover modules. One of them 
deals with the commitments and verification of string revelation, and the other with the rest of the 
proof. Each revelation of a string contains the string itself (called the main part of the message) 
and a part witnessing that the revelation is correct (called the authenticator part of the message) . 
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Let us set some conventions before continuing with the formal definition. We assume that the 
proof always starts with a verifier message specifying an incarnation of a prover p(w. The second 
message is then sent by the prover and is called the initialization message. (In the special interesting 
case the proof starts with a commitment, this message contains the random string of the prover 
required to make the verifier commitment). The third message is a verifier message denoted the 
determining message. We require that this message includes as a prefix the first two messages of 
the proof. 

Definition 8.2 A proof system (P, V) is called admissible if the following requirements hold: 

1 . The prover P consists of two modules P\,P%. Similarly, the random input is partitioned 
into two disjoint parts 0^ 1 ',0^ 2 ', where 0^ l > is given to Pi. The initialization message is sent 
by Pi. 

2. Each verifier message other than the first is first received by P\ and is interpreted as consisting 
of two parts, called main and authenticator. P\ decides whether to accept the message or to 
abort. If P\ accepts, it forwards the main part of the message to Pi who generates the next 
prover message. 

3. Let V* be an arbitrary (deterministic) polynomial-size circuit representing a possible strategy 
for the verifier in the interactive proof (P, V). Then, except with negligible probability, V* 
is unable to generate two different messages for some round (. that are accepted by P\ with 
respect to the same determining message. 

We think of an incarnation of a prover P in an admissible proof as having three indices p( l J> fc ). The 
first index stands for the input and matching auxiliary input X{ and y». The second index stands 
for the random tape of the first prover 0- and the third index stands for the random tape of the 
second prover 0^ . 



In Section |8.2| below, we will present a modification of our protocol that is an admissible proof. 
It is shown in || that for admissible proofs it is simpler to show that the proof is resettable zero- 
knowledge. In particular, any admissible proof that is hybrid zero-knowledge is also resettable zero- 
knowledge. In the hybrid model of zero-knowledge the verifier is allowed to use many incarnations of 
provers Pw>"0 but with a restriction: No two different incarnations may have the same k. Namely, 
the verifier may run the prover many times, but the random coins of the second prover must be 
random and independent in each run. 



Let us define hybrid zero-knowledge. In Section 8J2 below we will show that our modified proof 
is both admissible and hybrid zero-knowledge and therefore it is also resettable zero-knowledge. 
Let us define hybrid zero- knowledge and quote the related assertion from J3J. 

Definition 8.3 Let (P,V) be an admissible interactive proof with P\,Pi being the two modules of 
the prover as in Definition \8.^\. We say that (P, V) is hybrid zero-knowledge if Definition \8.I\ holds 



when V* in Distribution 1 of Definition 8.1 is restricted to interacting with incarnations of provers 
p{i,j,k) suc j 1/ foot no i wo incarnations P^J' k ) and P^ ,J ■ ' satisfy k = k' . 



In Section p.2| We will use the following corollary of |3] : 

Corollary 8.4 W, Corollary 9: If an admissible proof (P, V) is hybrid zero-knowledge then (P, V) 
is resettable zero-knowledge. 
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8.2 Constructing resettable zero-knowledge 

Let us now show how to modify our interactive proof system to make it resettable zero-knowledge. 
Our proof is an easy extension of the proof in H. The details are provided for self containment. We 
make the following two modifications. First, we fix the body of the proof to use the zero-knowledge 



proof for 3- Color ability by Goldreich and Kahan [16]. Recall that in the body of the proof the 
prover provides a zero-knowledge proof that the input theorem T is true or 3i s.t. Vi = pi. (See 
Section ^| above.) Since the original theorem T is an NP statement then so is the assertion "T 
is true or 3i s.t. vi = pi" , and thus, given the preamble and the theorem T, it can be reduced 
to Graph 3- Color ability, and proven in zero-knowledge via the Goldreich-Kahan proof system. A 
property of this proof, is that the verifier commits on its queries, which are edges in the graph. 
(For the honest verifier these are edges chosen uniformly at random.) 

The second modification we make is that we modify the verifier to commit on its queries in 
the Goldreich-Kahan proof system in the beginning of the protocol preamble together with the 
commitments on the values v±, . . . ,v m . Since the graph is not known at this time of the protocol 
(recall that the reduction uses the messages sent by the parties during the preamble), the verifier 
commits to n 4 random pairs of vertices in the graph. Once the graph is determined, the proof will 
consider only pairs of vertices that are edges in the graph. We remark that the soundness is not 
substantially changed since the commitments of the verifier are done with statistical secrecy, and 
since the probability to end up with a quadratic number of edge-challenges is overwhelming. 

We would like to show that the resulting protocol is resettable zero-knowledge. But by Corollary 



8.4 , if an admissible proof (P, V) is hybrid zero-knowledge then (P, V) is resettable zero- knowledge. 
We will first argue that this protocol is admissible, and then that it is hybrid zero-knowledge, and 
we are done. 

To show that the modified protocol is admissible, we have to define the two provers. We define 
the first prover module to handle the verifier's commitments. It supplies the random string required 
for the verifier commitments and then handles the later revelations of committed values (with no 
need for more random coins). The second prover module proceeds with the preamble only if the 
first prover accepts the revelations. Then, during the body of the proof, the second prover gets the 
revealed challenges and answers them. It can be easily verified that this satisfies the definition of 
admissible proofs. 

To show that the protocol is hybrid zero-knowledge we must modify the simulator to handle the 
modifications in the protocol, and be able to deal with multiple incarnations of the prover using 
(perhaps) the same random tape for the first prover's module. We first note that the modifications 
in the protocol do not interfere with the simulation as described. The simulator acts as a receiver 
in the proof system and that can be done in polynomial time. "Solving a proof" carries the same 
meaning as before, namely, setting a value pi to equal Vi for some preamble round i. 

The more interesting change is the additional power of the verifier, who may ask that the first 
module of the prover be used with the same random string in several interactions. In terms of 
efficiency, this bears no effect on the simulator. The simulator can keep a list of the random coins 
used so far in the first prover module (i.e., to receive commitments from the verifier) and use these 
strings repeatedly upon request from the verifier. But will the output still be of (almost) the same 
distribution as the real interaction? 

The distribution of the commitments as played by the first prover module is perfectly simulated 
since the simulator plays exactly the same algorithm as the prover. It remains to check that the 
influence of this power given to the verifier is not destructive to the behavior of the simulator with 
respect to the second prover module. To see that it is not, one must verify that the secrecy and 
binding properties of the commitment scheme still hold even when the receiver must receive various 
commitments with the same random string. Looking into the commitment scheme with perfect 
secrecy in [Il5|] and [pj it turns out that this is a property of these commitment schemes. Namely, 
the receiver starts by choosing a random string (or a random succinct description of a function) 
and sends his choice to the verifier. If that choice is good (and that happens with overwhelming 
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probability) then the committer can use that to make a polynomial number of commitments with 
secrecy and binding properties preserved. (Actually, the same goes also for the computational 
secrecy commitment scheme in [ j25| . but that is not relevant to the argument.) 

One additional issue, that has not been discussed, is whether the simulator may simulate several 
proofs that do not have the same input. To see that this bears no additional difficulty on the 
simulator, note that the input is only relevant for the body of the proof and there, the simulator 
behaves like the real prover, regardless of which specific input the proof uses. 

Thus, we get that the modified protocol is resettable zero-knowledge, and we are done with the 



proof of Theorem 3.2 
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